Recently, applications are increasingly relying on encrypted transport protocols, like Secure Sockets Layer (SSL), Transport Layer Security (TLS), Microsoft Kerberos (MS-KRB), and/or Microsoft Windows NT LAN Management (MS-NTLM), rather than on network security. Application privacy and data integrity (e.g., encryption and signing), utilized by application protocol end-to-end, from the application client to the application server, effectively blinds the network and challenges the ability to provide continued network service functions.
Some products, from the fields like Wide Area Network (WAN) Optimization, security, Content Delivery Network (CDN), and Application Visibility and Control (AVC) solve this problem by proxying the security protocol on the network device. All these solutions rely on the network device being configured/provided with private keying materiel in order to be able to terminate session security and handle application traffic to access application plain text content.
The requirement of these products to hold private keying material imposes a constraint which may not be satisfied in all enterprise customer use cases and deployments. In some use cases, interposing devices will reside in a physical location or at an enterprise network perimeter where the interposing device cannot hold private keying material.